Overview

overview

10

Static

static

3

5bd91a97aa...18.exe

windows7-x64

10

5bd91a97aa...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    19-05-2024 22:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe

  • Size

    658KB

  • MD5

    5bd91a97aa2e10adc9c00c400b50158f

  • SHA1

    16c2d0132914fe69e2d3bee62bd868f256a1db3a

  • SHA256

    d358c87cf527ba9f5036d0fa620101d49d526c023187f29a86f3fdb8510263d6

  • SHA512

    26c7b202a08e8a18c2a61ee2017b6e696f82649241335863073dd89faa05f31eac187f5d7c540733a6833b7d5ea65ecfbeeb86d9bb1af64a7b9e0a6dbcbbb304

  • SSDEEP

    6144:qIO3wz0Co3sLuwhOAJBGiDZdDn6h60rk8/W7Tr7s5A0fgYXkSByW7huU0:XHpZdOU0rk8qhGgYXh70

Score
10/10
azorultagilenetinfostealertrojan

Malware Config

Extracted

Family

azorult

C2

http://vitani.tk/disk/index.php

Signatures

  • Azorult

    An information stealer that was first discovered in 2016, targeting browsing history and passwords.

    trojaninfostealerazorult
  • Drops startup file 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3048
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\5bd91a97aa2e10adc9c00c400b50158f_JaffaCakes118.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"
      2⤵
      • Drops startup file
      PID:2768
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"
      2⤵
        PID:2576
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2656
      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe"
        2⤵
        • Drops startup file
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2700
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
          3⤵
            PID:1268

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\office.exe
        Filesize

        658KB

        MD5

        5bd91a97aa2e10adc9c00c400b50158f

        SHA1

        16c2d0132914fe69e2d3bee62bd868f256a1db3a

        SHA256

        d358c87cf527ba9f5036d0fa620101d49d526c023187f29a86f3fdb8510263d6

        SHA512

        26c7b202a08e8a18c2a61ee2017b6e696f82649241335863073dd89faa05f31eac187f5d7c540733a6833b7d5ea65ecfbeeb86d9bb1af64a7b9e0a6dbcbbb304

        Download Submit

      • memory/1268-14-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1268-19-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1268-15-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1268-16-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1268-17-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1268-18-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/1268-13-0x0000000000400000-0x0000000000420000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2700-10-0x00000000011D0000-0x000000000127A000-memory.dmp

        Filesize

        680KB

        Download

      • memory/3048-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3048-1-0x0000000000EE0000-0x0000000000F8A000-memory.dmp

        Filesize

        680KB

        Download

      • memory/3048-2-0x0000000000250000-0x0000000000270000-memory.dmp

        Filesize

        128KB

        Download

      • memory/3048-7-0x0000000074BF0000-0x00000000752DE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/3048-4-0x0000000074BF0000-0x00000000752DE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/3048-3-0x0000000074BF0000-0x00000000752DE000-memory.dmp

        Filesize

        6.9MB

        Download